Systems and methods for authentication and fraud detection

ABSTRACT

Systems and methods are provided to stop both external and internal fraud, ensure correct actions are being followed, and information is available to fraud teams for investigation. The system includes components that can address: 1) behavioral analytics (ANI reputation, IVR behavior, account activity)—this gives a risk assessment event before a call gets to an agent; 2) fraud detection—the ability to identify, in real time, if a caller is part of a fraudster cohort&#39; and alert the agent and escalate to the fraud team; 3) identity authentication—the ability to identify through natural language if the caller is who they say they are; and 4) two factor authentication—the ability to send a text message to the caller and automatically process the response and create a case in the event of suspected fraud.

CROSS-REFERENCE TO RELATED APPLICATIONS

The application is a continuation of U.S. patent application Ser. No.16/905,111 filed on Jun. 18, 2020, entitled SYSTEMS AND METHODS FORAUTHENTICATION AND FRAUD DETECTION, which claims the benefit of priorityto U.S. Provisional Patent Application No. 62/864,169 filed on Jun. 20,2019, entitled “SYSTEMS AND METHODS FOR AUTHENTICATION AND FRAUDDETECTION.” The contents of both are hereby incorporated by reference intheir entirety.

BACKGROUND

Companies such as credit card companies, financial institutions,insurance companies, healthcare companies, and governments incur lossdue to fraudsters and fraud rings. Fraud rates are increasing, withidentity theft, account takeover (including phishing attacks) andfriendly fraud (chargebacks) the most prevalent threats. Fraud mostoften happens from an outside individual, but internal fraud alsooccurs. Much of the fraud can be traced back to the contact centers orcall centers associated with the companies.

Conventional identify authentication (IA) and fraud detection (FD)solutions focus on either the IA or FD aspect, but not both. This is notsufficient as fraud continues to increase.

SUMMARY

Systems and methods are provided to stop both external and internalfraud, ensure correct actions are being followed, and information isavailable to fraud teams for investigation. Most IAFD solutions focus oneither the IA or FD aspect. The disclosed systems contain componentsthat can address: 1) behavioral analytics (ANI reputation, IVR behavior,account activity)—this gives a risk assessment event before a call getsto an agent; 2) fraud detection—the ability to identify, in real time,if a caller is part of a fraudster cohort' and alert the agent andescalate to the fraud team; 3) identity authentication—the ability toidentify through natural language if the caller is who they say theyare; and 4) two factor authentication—the ability to send a text messageto the caller and automatically process the response and create a casein the event of suspected fraud.

All of these components may be combined into one solution thatsimultaneously reduces authentication friction for valid callers andautomatic escalation for fraudsters. This results in both a highersatisfaction for callers due to easier authentications, and reducedcosts and time for the call center due to less incorrect callescalations.

In an embodiment, a system for authenticating calls and for preventingfraud is provided. The system includes one or more processors and amemory communicably coupled to the one or more processors. The memorystores an analysis module, a biometrics module, an authenticationmodule, and a fraud module. The analysis module includes instructionsthat when executed by the one or more processors cause the one or moreprocessors to: receive a call through a first channel, wherein the callis associated with a customer and a speaker; based on one or morecharacteristics of the received call, the customer, or the channel,assign a score to the call; determine if the score satisfies athreshold; and if the score does not satisfy the threshold, flag thecall as a fraudulent call. The biometrics module includes instructionsthat when executed by the one or more processors cause the one or moreprocessors to: analyze voice data associated with the call to determinewhether the speaker is a fraudulent speaker; and if the speaker is afraudulent speaker, flag the call as a fraudulent call. Theauthentication module includes instructions that when executed by theone or more processors cause the one or more processors to: generate afirst code; retrieve a profile associated with the customer; send thefirst code to the customer through a second channel indicated by theprofile associated with the customer; receive a second code through thefirst channel; determine if the first code matches the second code; andif it is determined that the first code matches the second code, flagthe call as an authenticated call.

Embodiments may include some or all of the following features. Theanalysis module may further include instructions that when executed bythe one or more processors cause the one or more processors to: if thescore satisfies the threshold, flag the call as an authenticated call.The biometrics module may further include instructions that whenexecuted by the one or more processors cause the one or more processorsto: if the speaker is not a fraudulent speaker, flag the call as anauthenticated call. The authentication module may include instructionsthat when executed by the one or more processors cause the one or moreprocessors to: if it is determined that the first code does not matchthe second code, flag the call as an authenticated call. The fraudmodule may include instructions that when executed by the one or moreprocessors cause the one or more processors to: if the call is flaggedas a fraudulent call; receive a recording of the call; process therecording to generate one or more voiceprints for the speaker associatedwith the call; and store the generated voiceprints. Analyzing voice dataassociated with the call to determine whether the speaker is afraudulent speaker may include: retrieving voiceprints associated withfraudulent activities; determining if the voice data matches any of thevoiceprints associated with fraudulent activities; and if the determinedvoice data matches any of the voiceprints associated with the fraudulentactivities, flag the call as a fraudulent call. The biometrics modulemay further include instructions that when executed by the one or moreprocessors cause the one or more processors to: retrieve one or morevoiceprints associated with the customer; determine if the voice datamatches any of the voiceprints associated with the customer; and if thedetermined voice data matches any of the voiceprints associated with thecustomer, flag the call as an authenticated call.

In an embodiment, a method for authenticating calls and for preventingfraud is provided. The method includes: receiving a call through a firstchannel, wherein the call is associated with a customer and a speaker;determine if there are one or more voiceprints associated with thecustomer; if it is determined that there are one or more voiceprintsassociated with the customer: retrieving the one or more voiceprintsassociated with the customer; determine if voice data associated withthe call matches any of the one or more voiceprints associated with thecustomer; and if the voice data matches any of the one or morevoiceprints associated with the customer, flag the call as anauthenticated call.

Embodiments may include some or all of the following features. Themethod may further include: if the voice data does not match any of theone or more voiceprints associated with the customer, the call may beflagged as a fraudulent call. The method may further include: if it isdetermined that there are no voiceprints associated with the customer:generating a first code; retrieving a profile associated with thecustomer; sending the first code to the customer through a secondchannel indicated by the profile associated with the customer; receivinga second code through the first channel; determining if the first codematches the second code; and if it is determined that the first codematches the second code, flagging the call as an authenticated call. Themethod may further include: generating a voiceprint for the customerusing voice data associated with the call; and associating thevoiceprint with the customer.

In an embodiment, a method for authenticating calls and for preventingfraud is provided. The method includes: receiving a call through a firstchannel, wherein the call is associated with a customer and a speaker;based on one or more characteristics of the received call, the customer,or the channel, assigning a score to the call; determining if the scoresatisfies a threshold; and if the score does not satisfy the threshold,flagging the call as a fraudulent call; analyzing voice data associatedwith the call to determine whether the speaker is a fraudulent speaker;if the speaker is a fraudulent speaker, flagging the call as afraudulent call; generating a first code; retrieving a profileassociated with the customer; sending the first code to the customerthrough a second channel indicated by the profile associated with thecustomer; receiving a second code through the first channel; determiningif the first code matches the second code; and if it is determined thatthe first code matches the second code, flagging the call as anauthenticated call.

Embodiments may include some or all of the following features. Themethod may further include: if the score satisfies the threshold,flagging the call as an authenticated call. The method may furtherinclude: if the speaker is not a fraudulent speaker, flagging the callas an authenticated call. The method may further include: if it isdetermined that the first code does not match the second code, flaggingthe call as a fraudulent call. The method may further include: if thecall is flagged as a fraudulent call: receiving a recording of the call;processing the recording to generate one or more voiceprints for thespeaker associated with the call; and storing the generated one or morevoiceprints. Analyzing voice data associated with the call to determinewhether the speaker is a fraudulent speaker may include: retrievingvoiceprints associated with fraudulent activities; determining if thevoice data matches any of the voiceprints associated with fraudulentactivities; and if the determined voice data matches any of thevoiceprints associated with the fraudulent activities, flagging the callas a fraudulent call. The method may further include: retrieving one ormore voiceprints associated with the customer; determine if the voicedata matches any of the voiceprints associated with the customer; and ifthe determined voice data matches any of the voiceprints associated withthe fraudulent activities, flagging the call as an authenticated call.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the detaileddescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing summary, as well as the following detailed description ofillustrative embodiments, is better understood when read in conjunctionwith the appended drawings. For the purpose of illustrating theembodiments, there is shown in the drawings example constructions of theembodiments; however, the embodiments are not limited to the specificmethods and instrumentalities disclosed. In the drawings:

FIG. 1 is an illustration of an environment for authenticating callersand for providing fraud and intrusion detection

FIGS. 2-6 are illustrations of an example user-interface;

FIG. 7 is an illustration of an example method for authenticating usersand/or identifying fraudulent users;

FIG. 8 is an illustration of an example method for authenticating usersand/or identifying fraudulent users; and

FIG. 9 shows an exemplary computing environment in which exampleembodiments and aspects may be implemented.

DETAILED DESCRIPTION

An embodiment described herein provides behavioral analytics, frauddetection, identity authentication, and two factor authentication.Behavioral analytics (e.g., ANI reputation, IVR behavior, accountactivity) gives a risk assessment event before a call gets to an agent.Fraud detection provides the ability to identify, in real time, if acaller is part of a ‘fraudster cohort’ and alert the agent and escalateto the fraud team. Identity authentication provides the ability toidentify through natural language if the caller is who they say theyare. Two factor authentication provides the ability to send a textmessage to the caller and automatically process the response and createa case in the event of suspected fraud.

FIG. 1 is an illustration of an environment 100 for authenticatingcallers and for providing fraud and intrusion detection. The environment100 may be implemented by a call center or any other entity thatreceives calls from customers or clients. A user 102 such as a customermay use a computing device 105 (or a telephone 106) to initiate a callwith an agent 152 associated with the environment 100. The agent 152 mayreceive the call via a channel 108 such as a VOIP line, POTS line, or acellular channel. Any channel suitable for voice communication may beused.

The agent 152 may receive the call from the customer on an agentcomputing device 155. The agent computing device 155 may be equippedwith both human and virtual voice agent capabilities.

Besides the agent 152, the call may also be received (at the same timeor later) by a computing device 110 associated with the call centerenvironment 100. The computing device 110 may provide one or more callcenter services to the user 102 such as interactive voice responseservices (“IVR”) where the user may be presented with an automatedsystem that may determine the optimal agent 152 to direct the call, maydetermine the identity of the customer, or may retrieve otherinformation from the customer in an automated way.

As may be appreciated, the computing device 105, agent computing device155, and the computing device 110 may each be implemented by one or moregeneral purpose computing devices 110 such as the computing device 900illustrated with respect to FIG. 9.

In order to detect fraud, detect intrusions, and provide authenticationwith respect to one more calls and users 102, the computing device 110may include one or more modules. As illustrated, these modules includean analytics model 115; a biometrics module 120; an authenticationmodule 130; and a fraud module 140. More or fewer modules may besupported. Depending on the implementation, some or all of the modules115, 120, 130, and 140 may be implemented the same computing device 110,or by some combination of computing devices 110. In addition, some orall of the modules 115, 120, 130, and 140 may be implemented by acloud-based computing system. Furthermore, some or all of the modules115, 120, 130, and 140 may be implemented in a call center.

The analytics module 115 may generate a score 118 for a current orreceived call. The score 118 may represent how likely it is that aparticular call is associated with fraud (e.g., a known fraudster orfraudulent user) or is otherwise suspect. For example, the score 118 maybe a 1-5 score where 1 represents a call that is not likely to beassociated with fraud, and 5 represents a call that is very likely to beassociated with fraud. Other scales or scoring methods may be used.

As will be described further below, the analytics module 115 maydetermine the score 118 for a call and may transmit the score 118 to theagent computing device 155 associated with the agent 152 that ishandling the call. For example, the score 118 may be displayed to theagent 152 on a dashboard or other user-interface being viewed by theagent 152 during the call. The dashboard may display information aboutthe call such as a (purported) name of the customer and any informationdetermined for the customer by an IVR or the agent 152.

In some implementations, the analytics module 115 may generate the score118 for the call using one or more characteristics 117 of the call. Thecharacteristics of the call may include knowledge based characteristics117 such as carrier information (e.g., is the carrier used by the callerassociated with fraud), the channel 108 associated with the call (e.g.,some channels such as VoIP may be more associated with fraud thanlandlines), country, city, or state of origin, and whether or not anyANI spoofing is detected or if the number used for the call is known tobe spoofed or associated with fraud.

The characteristics 117 may further include reputation basedcharacteristics 117 such as an account history associated with thenumber or customer, information from an ANI blacklist, previousindicators associated with the number or caller, and informationassociated with an escalating threat level (e.g., are fraud detectionscurrently on the rise in the contact center?). The characteristics 117may include behavior-based characteristics 117 learned about the callerby the IVR (or PBX) such as call flow actions, caller pattern probing,call velocity and frequency, and cross program detection. Othercharacteristics 117 may be used.

Depending on the embodiment, if the score 118 generated for a call orcaller is above (or below) a threshold, the call may be flagged by theanalytics module 115 as authenticated or otherwise unlikely to beassociated with fraud. After being authenticated, the agent 152 mayproceed with the business or purpose of the call without furtherauthenticating the user 102.

If the score 118 generated for the call is below (or above) thethreshold, the computing device 110 may continue to authenticate thecall. In particular, the biometrics module 120 may process voice dataassociated with the call to determine if the speaker associated with thecall is the customer that the speaker purports to be and may process thevoice data to determine if the speaker matches any known fraudsters(i.e., fraudulent users). As used herein the term speaker is used todistinguish the user 102 speaking on the call from the term customer.The customer is the user 102 associated with the account and may be theuser 102 that the speaker on the call purports to be. When the call isauthenticated, the speaker and the customer are determined to be thesame user 102.

When the speaker is connected to the agent 152, the agent 152 welcomesthe speaker and asks the speaker to provide their customer name andaccount information. As this information is provided the biometricsmodule 120 processes the voice data in real-time using one or morevoiceprints 121 that are associated with the customer. Depending on theembodiment, the biometrics module 120 may use passive voice biometricswhich may not require the customer to actively enroll their voice.Instead, voiceprints 121 may be created automatically for a customerbased on their voice data collected from a call. Any method for creatingvoiceprints 121 may be used.

If the biometrics module 120 determines that the voice data matches avoiceprint 121 associated with the customer (or a voiceprint associatedwith customers on a white list), then the biometrics module 120 may flagthe call as authenticated and may proceed as described above. If thebiometrics module 120 determines that the voice data does not match anyvoiceprint 121 associated with the customer (or there are no voiceprintsassociated with the customer), the biometrics module 120 may hand offprocessing of the call to the authentication module 130.

The biometrics module 120 may further retrieve voiceprints 121associated with known fraudsters or fraudulent users. If the voice dataassociated with the call matches a voiceprint 121 associated with aknown fraudulent user, then the biometrics module 120 may flag the callas being a fraudulent call.

The authentication module 130 may authenticate the speaker on the callusing what is known as two factor authentication. In one implementation,the authentication module 130 may perform the two factor authenticationby first determining a second channel 108 associated with the user 102.The second channel 108 may be different than the first channel 108 beingused and may include mobile phones (i.e., text or SMS), email, etc. Thesecond channel 108 may be determined from a profile associated with theuser 102 (i.e., customer) or user account.

After determining the second channel 108, the authentication module 130may generate a code 131 and may send the code 131 to the user 102 viathe second channel 108. For example, if the second channel 108 is email,the authentication module 130 may send the code 131 to the user 102 atthe email address associated with the user 102.

The authentication module 130 may then later receive a code 131 from theuser 102 via the first channel 108 (i.e., the call). For example, theagent 152 may ask the user 102 to repeat the code 131 included in theemail received via the second channel 108. Depending on the embodiment,the user 102 may speak the code 131 to the agent 152 or may provide thecode 131 directly to the authentication module 130 via the internet. Ifthe received code 131 matches the sent code 131 then the authenticationmodule 130 may flag the call and user 102 as authenticated. After beingauthenticated, the agent 152 may proceed with the business or purpose ofthe call without further authenticating the user. If the received code131 does not match the sent code 131, the authentication module 130 mayflag the call as fraudulent.

Furthermore, after the authentication module 130 authenticates the user,additional fraud and authentication related steps may be performed bythe computing device 110. For example, in scenarios where the biometricsmodule 120 was unable to authenticate the user 102 due to incomplete ornon-existing voiceprints 121, the biometrics module 120 may attempt togenerate one or more voiceprints 121 for the user 102. In someimplementations, the biometrics module 120 may generate the one or morevoiceprints 121 using the voice data provided by the user 102 at thebeginning of the call. In other implementations, after the call has beencompleted, the biometrics module 120 may use voice data extracted from arecording of the call and may generate the voiceprints 121 from thevoice data.

The fraud module 140 may process information related to calls marked orflagged as fraudulent to investigate whether the calls are fraudulentcalls and to learn rules or other information that can be later used toidentify fraudulent calls or users 102. Initially, when a call is markedor flagged as fraudulent, an indicator or other information may bedisplayed to the agent 152 to let them know that the call may befraudulent. In addition, in response to the call being flagged asfraudulent, the agent 152 may be provided with questions to ask thespeaker during the call. These questions may be selected to keep thespeaker participating on the call and to collect additional informationabout the speaker that can be used by the fraud module 140 to bothbetter determine if the call is fraudulent, and to update rules orcharacteristics that can be later used to identify fraudulent calls.Alternatively, or additionally, in response to the call being flagged asfraudulent, the call may be transferred to an agent 152 speciallytrained on how to deal with fraudulent calls.

After a call has been completed (or while the call is in progress), thefraud module 140 may be provided with information about the call (i.e.,a case) such a recording of the call, any characteristics 117 of thecall, and any information collected for the call by the IVR system. Thefraud module 140 may then process the information and call recording todetermine rules or other characteristics that are indicative of afraudulent call. For example, the fraud module 140 may determineadditional call characteristics 117 that may be used by the analyticsmodule 115 to generate a score 118 for a call.

In some implementations the fraud module 140 may be associated with afraud team. The fraud team may track fraudulent calls across multipledepartments of a company or organization. This may help the organizationidentify fraudulent call trends in the organization and to possibly getahead of a fraudulent caller that is calling multiple departments. Thefraud team may ultimately determine whether or not a call was properlytagged as fraudulent.

The fraud module 140 may further generate one or more reports 141 basedon the fraudulent calls identified by the fraud module 140. The reports141 can be used to track, manage, and improve fraud practice for anorganization. In some implementations, the reports 141 may indicatecalls that were successfully identified as fraud, calls that were notsuccessfully identified as fraud, as well as the number of voiceprints121 (for users 102 or fraudsters) that have been collected by thesystem. The reports can be used for training and/or coaching agents 152to reduce the overall training time.

Depending on the embodiment, a report 141 may include an alert for eachcall that is flagged or determined to be fraudulent. The reports 141 mayinclude for each alert: 1) alert summary: score and threat level;channel information (phone number, carrier line type, chat, web, email,etc.); line risk indicator (carrier/line correlation with fraudulentactivity); events (number of times application has been access viaspecified channel identifier); accounts (different accounts accessed viaspecified channel identifier); user active duration (days user hasaccess the system via the indicated channel); spoof risk (level ofthreat that channel identifier has been spoofed); access to detailedinformation about alert; and 2) alert details: score and threat level;channel information; score report; state management (status); scorehistory (chart shows risk score for channel identifier over time);events (additional details for each event where the channel identifieraccessed the application); link back to call recording. Otherinformation may be included for each alert in a report 141.

FIG. 2 is an illustration of an example user-interface 200. Theuser-interface 200 may be displayed to an agent 152 on their agentcomputing device 155 during a call with a user 102. As shown in a window201, the agent 152 is on a call with a speaker (i.e., user 102) whopurports to be the customer named “David Singer.” The speaker may haveprovided the name David Singer during an IVR session that took placebefore the call was transferred to the agent 152. Because the customerhas not yet been authenticated, the window 201 lists the speaker as “notverified.”

The user-interface 200 further includes windows 203, 205, 207, and 209that each correspond to another method or means of verifying orauthenticating the speaker or customer. The window 203 includesverification based on call characteristics 117 such as ANI. The window205 includes verification based on biometrics such as voiceprints 121.The window 207 includes verification using two factor authentication.The window 209 includes verification based on security questionsassociated with the user. Depending on the embodiment, theuser-interface 200 further includes a window 211 that displays chats orother messages received from other agents 152. The agents 152 may usethe window 211 to share observations and trends they are observing whilehandling calls.

Continuing to FIG. 3, the analysis module 115 may have generated a score118 for the call associated with the information displayed in theuser-interface 200 based on the characteristics 117 associated with thecall. In the example shown, the word “passed” has been displayed in thewindow 203 indicating to the agent 152 that the generated score 118 wasabove the threshold for calls and is therefore low risk. While thewindow 203 indicates that the score 118 was based on the ANI associatedwith the call, other characteristics 117 may be used by analysis module115 to generate the score 118 including ANI velocity, carrier, linetype, location, behavior (IVR), spoof detection, etc.

Continuing to FIG. 4, the biometrics module 120 may have performed abiometrics check on the speaker associated with the call. In the exampleshown, the word “passed” has been displayed in the window 205 indicatingto the agent 152 that the speaker has passed the biometric analysis.Depending on the embodiment, the speaker may pass if the voice dataassociated with the call does not match against a voiceprint 121associated with a known fraudster, or the speaker may pass if the voicedata associated with the call matches against a voiceprint 121associated with the purported customer name (i.e., “David Singer”).

Continuing to FIG. 5, the authentication module 130 may have begun toperform two factor authentication on the call in response to the agent152 pressing or selecting the button labeled “send SMS” in the window207. In response, the authentication module 130 may have generated acode 131 and may have sent the code 131 (via SMS) to a number associatedwith the user 102 (i.e., “David Singer”). After sending the code 131, awindow 501 was displayed in the user-interface 200 asking the agent toenter a code 131 spoken by the user 102 to the agent 152. Because thespoken and sent codes will match only if the user 102 also has access tothe computing device 105 (e.g., smartphone) associated with the numberthat the code 131 was sent to, if the user 102 provides a matching code131 to the agent 152, then the authentication module 130 may assume thatthe user 102 is who they purport to be (i.e., “David Singer”).

Continuing to FIG. 6, the codes 131 matched and the window 207 has beenupdated by the authentication module 130 to show that the user 102“Passed two factor authentication.” Because the user 102 wassuccessfully authenticated using the methods associated with the windows203, 205, and 207, the agent 152 may not be required to authenticateusing the security questions shown in the window 209.

FIG. 7 is an illustration of an example method 700 for authenticatingusers and/or identifying fraudulent users. The method 700 may beimplemented by one or more of the biometrics module 120, theauthentication module 130, and the fraud module 140 of the computingdevice 110. The method 700 may be implemented in a call center.

At 705, a call is received through a first channel. The call may bereceived by an agent computing device 155 associated with an agent 152.The call may be associated with a customer (i.e., a user 102) and aspeaker. The speaker may be the person speaking on the call, and thecustomer may be the user 102 that the speaker purports to be. Dependingon the embodiment, the speaker may have identified themselves as thecustomer to an IVR system, and/or may have identified themselves as thecustomer to the agent 152. The first channel 108 may be a telephone linesuch as a cellular phone, a VoIP phone, or a POTS phone. Other channels108 may be used.

At 710, whether there are one or more voiceprints 121 associated withthe customer is determined. The determination may be made by thebiometrics module 120. Depending on the embodiment, the biometricsmodule 120 may store voiceprints 121 for customers as well as knownfraudulent users. If there are one or more voiceprints 121 associatedwith the customer, then the method 700 may continue at 715. Else themethod 700 may continue at 735.

At 715, the one or more voiceprints 121 are retrieved. The one or morevoiceprints 121 may be retrieved by the biometrics module 120 from aprofile associated with the customer or user, for example.

At 720, a determination is made as to whether any of the one or morevoiceprints 121 match voice data associated with the call. Thedetermination may be made by the biometrics module 120. The voice datamay comprise various words and phrases spoken by the speaker to one orboth of the IVR system or the agent 152. Any method for matchingvoiceprints 121 against voice data may be used. If any of thevoiceprints 121 match the voice data, the method 700 may continue at730.

As may be appreciated, if the voce data matches any of the voiceprints121 associated with the speaker, then the biometrics module 120 can beassured that the speaker is the customer that they purport to be.Accordingly, no further authentication (such as two factor or securityquestions) may be necessary for the call. By reducing the amount ofauthentication that is required, the call experience of the customers isimproved, and the total amount of time spent per call by agents 152 isreduced.

At 725, the call is flagged as fraudulent. The call may be flagged asfraudulent by one or both of the biometrics module 120 or theauthentication module 130. In response to flagging the call asfraudulent, the call may be transferred to an agent 152 that specializesin fraudulent calls. In addition, a recording of the call, and otherinformation about the call such as characteristics 117 of the call, maybe sent to the fraud module 140. The fraud module 140 may analyze therecording of the call and the information about the call to try todetermine one or more or rules that can be used to identify fraudulentcalls or fraudulent users 102. In addition, the fraud module 140 mayidentify trends in fraudulent call activity and may share anyinformation learned with other call centers or other company divisionsor subsidiaries. Depending on the embodiment, one or more voiceprints121 may be generated from the recorded call and may be added to a groupof voiceprints 121 that are known to be associated with fraudulent users102.

At 730, the call is flagged as authenticated. The call may be flagged asauthenticated by one or both of the biometrics module 120 or theauthentication module 130. After the call is authenticated, the agent152 may proceed with addressing the reason that the customer initiatedthe call in the first place.

At 735, two factor authentication is performed. The two factorauthentication may be performed by the authentication module 130.Because there was no voiceprint 121 associated with the customer, theauthentication module 130 may authenticate the speaker using two factorauthentication. Depending on the embodiment, the authentication module130 may send a code 131 to the speaker using a second channel 108 thatis indicated in a profile associated with the customer. Other methodsfor authentication such as security questions may be used if two factorauthentication is not available. For example, a user 102 may not haveset up two factor authentication yet.

At 740, whether the authentication was successful is determined. Thedetermination may be made by the authentication module 130. For twofactor authentication, the authentication is successful when the speakerspeaks the correct code 131 back to the agent 152. For authenticationbased on security questions, the authentication is successfully when thespeaker provided the correct answers to the security questions. If theauthentication was successful, then the method 700 may proceed to 730where the call may be flagged as authenticated. If the authenticationwas not successful, the method 700 may proceed to 725 where the call maybe flagged as fraudulent.

FIG. 8 is an illustration of an example method 800 for authenticatingusers and/or identifying fraudulent users. The method 800 may beimplemented by one or more of the analytics module 115, the biometricsmodule 120, the authentication module 130, and the fraud module 140 ofthe computing device 100. The method 800 may be implemented in a callcenter.

At 805, a call is received through a first channel. The call may bereceived by an agent computing device 155 associated with an agent 152.The call may be associated with a customer (i.e., a user 102) and aspeaker. The speaker may be the person speaking on the call, and thecustomer may be the user 102 that the speaker purports to be. Dependingon the embodiment, the speaker may have identified themselves as thecustomer to an IVR system, and/or may have identified themselves as thecustomer to the agent 152. The first channel 108 may be a telephone linesuch as a cellular phone, a VoIP phone, or a POTS phone. Other channels108 may be used.

At 810, a score is assigned to the call. The score 118 may be assignedto the call by the analytics module 115 based on one or morecharacteristics 117 of the call. Depending on the embodiment thecharacteristics 117 may include knowledge-based characteristics 117,reputation-based characteristics 117, and behavior-based characteristics117. Other characteristics 117 may be considered. Examplecharacteristics include the number of calls associated with the number,the number of calls associated with the customer or user 102, carrierinformation, the type of channel 108 used, call origin, ANI information,IVR information, PBX information, call velocity, and cross platformdetection. Other characteristics 117 may be used.

At 815, a determination as to whether the score 118 satisfies athreshold is determined. The determination may be made by the analyticsmodule 115. If the score satisfies the threshold (e.g., is less than thethreshold), the method 800 may continue at 840. Else, the method 800 maycontinue at 820.

At 820, a determination is made as to whether the call is associatedwith a fraudulent speaker. The determination may be made by thebiometrics module 120 by comparing voice data associated with the callwith voiceprints 121 known to be associated with fraudulent speakers. Ifany of the voiceprints 121 match the method 800 may continue at 830.Else, the method 800 may continue at 825.

At 825, a determination is made as to whether the speaker isauthenticated. The determination may be made by the biometrics module120 and/or the authentication module 130. In some implementations, thebiometrics module 120 may authenticate the speaker by comparing voicedata associated with the call with voiceprints 121 known to beassociated with the user 102 corresponding to the speaker. Alternativelyor additionally, the authentication module 130 may authenticate thespeaker using two factor authentication. If the speaker is authenticatedthe method 800 may continue at 840. Else, the method 800 may continue at830.

At 830, the call is flagged as fraudulent. The call may be flagged asfraudulent by any of the analytics module 115, the biometrics module120, or the authentication module 130.

At 835, the call is sent for fraud processing. The call, including anyinformation about the call and a recording of the call, may be sent tothe fraud module 140 for fraud processing. The fraud processing mayinclude analyzing the recording of the call and the information aboutthe call to try to determine one or more or rules that can be used toidentify fraudulent calls or fraudulent users 102. In addition, thefraud module 140 may identify trends in fraudulent call activity and mayshare any information learned with other call centers or other companydivisions or subsidiaries. Depending on the embodiment, one or morevoiceprints 121 may be generated from the recorded call and may be addedto the voiceprints 121 that are known to be associated with fraudulentusers 102.

At 840, the call is flagged as authenticated. The call may be flagged asauthenticated by one or more of the analytics module 115, the biometricsmodule 120, or the authentication module 130. After the call isauthenticated, the agent 152 may proceed with addressing the reason thatthe customer initiated the call in the first place.

FIG. 9 shows an exemplary computing environment in which exampleembodiments and aspects may be implemented. The computing deviceenvironment is only one example of a suitable computing environment andis not intended to suggest any limitation as to the scope of use orfunctionality.

Numerous other general purpose or special purpose computing devicesenvironments or configurations may be used. Examples of well-knowncomputing devices, environments, and/or configurations that may besuitable for use include, but are not limited to, personal computers,server computers, handheld or laptop devices, multiprocessor systems,microprocessor-based systems, network personal computers (PCs),minicomputers, mainframe computers, embedded systems, distributedcomputing environments that include any of the above systems or devices,and the like.

Computer-executable instructions, such as program modules, beingexecuted by a computer may be used. Generally, program modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data types.Distributed computing environments may be used where tasks are performedby remote processing devices that are linked through a communicationsnetwork or other data transmission medium. In a distributed computingenvironment, program modules and other data may be located in both localand remote computer storage media including memory storage devices.

With reference to FIG. 9, an exemplary system for implementing aspectsdescribed herein includes a computing device, such as computing device900. In its most basic configuration, computing device 900 typicallyincludes at least one processing unit 902 and memory 904. Depending onthe exact configuration and type of computing device, memory 904 may bevolatile (such as random access memory (RAM)), non-volatile (such asread-only memory (ROM), flash memory, etc.), or some combination of thetwo. This most basic configuration is illustrated in FIG. 9 by dashedline 906.

Computing device 900 may have additional features/functionality. Forexample, computing device 900 may include additional storage (removableand/or non-removable) including, but not limited to, magnetic or opticaldisks or tape. Such additional storage is illustrated in FIG. 9 byremovable storage 908 and non-removable storage 910.

Computing device 900 typically includes a variety of computer readablemedia. Computer readable media can be any available media that can beaccessed by the device 1300 and includes both volatile and non-volatilemedia, removable and non-removable media.

Computer storage media include volatile and non-volatile, and removableand non-removable media implemented in any method or technology forstorage of information such as computer readable instructions, datastructures, program modules or other data. Memory 904, removable storage908, and non-removable storage 910 are all examples of computer storagemedia. Computer storage media include, but are not limited to, RAM, ROM,electrically erasable program read-only memory (EEPROM), flash memory orother memory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bycomputing device 900. Any such computer storage media may be part ofcomputing device 900.

Computing device 900 may contain communication connection(s) 912 thatallow the device to communicate with other devices. Computing device 900may also have input device(s) 914 such as a keyboard, mouse, pen, voiceinput device, touch input device, etc. Output device(s) 916 such as adisplay, speakers, printer, etc. may also be included. All these devicesare well known in the art and need not be discussed at length here.

It should be understood that the various techniques described herein maybe implemented in connection with hardware components or softwarecomponents or, where appropriate, with a combination of both.Illustrative types of hardware components that can be used includeField-programmable Gate Arrays (FPGAs), Application-specific IntegratedCircuits (ASICs), Application-specific Standard Products (ASSPs),System-on-a-chip systems (SOCs), Complex Programmable Logic Devices(CPLDs), etc. The methods and apparatus of the presently disclosedsubject matter, or certain aspects or portions thereof, may take theform of program code (i.e., instructions) embodied in tangible media,such as floppy diskettes, CD-ROMs, hard drives, or any othermachine-readable storage medium where, when the program code is loadedinto and executed by a machine, such as a computer, the machine becomesan apparatus for practicing the presently disclosed subject matter.

Although exemplary implementations may refer to utilizing aspects of thepresently disclosed subject matter in the context of one or morestand-alone computer systems, the subject matter is not so limited, butrather may be implemented in connection with any computing environment,such as a network or distributed computing environment. Still further,aspects of the presently disclosed subject matter may be implemented inor across a plurality of processing chips or devices, and storage maysimilarly be effected across a plurality of devices. Such devices mightinclude personal computers, network servers, and handheld devices, forexample.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

What is claimed:
 1. A system for authenticating calls and for preventingfraud comprising: one or more processors; a memory communicably coupledto the one or more processors and storing: an analysis module includinginstructions that when executed by the one or more processors cause theone or more processors to: receive a call through a first channel,wherein the call is associated with a customer and a speaker; based onone or more characteristics of the received call, the customer, or thechannel, assign a score to the call; determine if the score satisfies athreshold; and if the score does not satisfy the threshold, flag thecall as a fraudulent call; a biometrics module including instructionsthat when executed by the one or more processors cause the one or moreprocessors to: analyze voice data associated with the call to determinewhether the speaker is a fraudulent speaker; and if the speaker is afraudulent speaker, flag the call as a fraudulent call; and anauthentication module including instructions that when executed by theone or more processors cause the one or more processors to: generate afirst code; receive a second code; determine if the first code matchesthe second code; and if it is determined that the first code matches thesecond code, flag the call as an authenticated call.
 2. The system ofclaim 1, wherein the analysis module further includes instructions thatwhen executed by the one or more processors cause the one or moreprocessors to: if the score satisfies the threshold, flag the call as anauthenticated call.
 3. The system of claim 1, wherein the biometricsmodule further includes instructions that when executed by the one ormore processors cause the one or more processors to: if the speaker isnot a fraudulent speaker, flag the call as an authenticated call.
 4. Thesystem of claim 1, wherein the authentication module further includesinstructions that when executed by the one or more processors cause theone or more processors to: if it is determined that the first code doesnot match the second code, flag the call as a fraudulent call.
 5. Thesystem of claim 1, further comprising a fraud module includinginstructions that when executed by the one or more processors cause theone or more processors to: If the call is flagged as a fraudulent call;receive a recording of the call; process the recording to generate oneor more voiceprints for the speaker associated with the call; and storethe generated voiceprints.
 6. The system of claim 1, wherein analyzingvoice data associated with the call to determine whether the speaker isa fraudulent speaker comprises: retrieving voiceprints associated withfraudulent activities; determining if the voice data matches any of thevoiceprints associated with fraudulent activities; and if the determinedvoice data matches any of the voiceprints associated with the fraudulentactivities, flag the call as a fraudulent call.
 7. The system of claim1, wherein the biometrics module further includes instructions that whenexecuted by the one or more processors cause the one or more processorsto: retrieve one or more voiceprints associated with the customer;determine if the voice data matches any of the voiceprints associatedwith the customer; and if the determined voice data matches any of thevoiceprints associated with the customer, flag the call as anauthenticated call.
 8. A method for authenticating calls and forpreventing fraud comprising: receiving a call through a first channel bya computing device, wherein the call is associated with a customer and aspeaker; determine if there are one or more voiceprints associated withthe customer by the computing device; if it is determined that there areone or more voiceprints associated with the customer: retrieving the oneor more voiceprints associated with the customer by the computingdevice; determining if voice data associated with the call matches anyof the one or more voiceprints associated with the customer by thecomputing device; and if the voice data matches any of the one or morevoiceprints associated with the customer, flagging the call as anauthenticated call by the computing device.
 9. The method of claim 8,further comprising: if the voice data does not match any of the one ormore voiceprints associated with the customer, flagging the call as afraudulent call.
 10. The method of claim 8, further comprising: if it isdetermined that there are no voiceprints associated with the customer:generating a first code; receiving a second code; determining if thefirst code matches the second code; and if it is determined that thefirst code matches the second code, flagging the call as anauthenticated call.
 11. The method of claim 8, wherein the method isimplemented in a call center.
 12. A method for authenticating calls andfor preventing fraud comprising: receiving a call through a firstchannel by a computing device, wherein the call is associated with acustomer and a speaker; based on characteristics of the received call,the customer, and the channel, assigning a score to the call by thecomputing device; determining if the score satisfies a threshold by thecomputing device; and if the score does not satisfy the threshold,flagging the call as a fraudulent call by the computing device.
 13. Themethod of claim 12, further comprising: if the score satisfies thethreshold, flagging the call as an authenticated call.
 14. The method ofclaim 12, further comprising: analyzing voice data associated with thecall to determine whether the speaker is a fraudulent speaker; if thespeaker is a fraudulent speaker, flagging the call as a fraudulent call.15. The method of claim 12, wherein the method is implemented in a callcenter.
 16. The method of claim 14, wherein analyzing voice dataassociated with the call to determine whether the speaker is afraudulent speaker comprises: retrieving voiceprints associated withfraudulent activities; determining if the voice data matches any of thevoiceprints associated with fraudulent activities; and if the determinedvoice data matches any of the voiceprints associated with the fraudulentactivities, flagging the call as a fraudulent call.
 17. The method ofclaim 12, further comprising: generating a first code; receiving asecond code; determining if the first code matches the second code; andif it is determined that the first code matches the second code,flagging the call as an authenticated call.
 18. The method of claim 17,further comprising: if it is determined that the first code does notmatch the second code, flagging the call as a fraudulent call.
 19. Themethod of claim 12, further comprising: if the call is flagged as afraudulent call: receiving a recording of the call; processing therecording to generate one or more voiceprints for the speaker associatedwith the call; and storing the generated one or more voiceprints. 20.The method of claim 12, further comprising: retrieving one or morevoiceprints associated with the customer; determining if the voice datamatches any of the voiceprints associated with the customer; and if thedetermined voice data matches any of the voiceprints associated with thefraudulent activities, flagging the call as an authenticated call.